make it easier to define weak password definitions

add tests for weak passwords
make it easier to check values of errors returned from weak password
loosen weak password requirements for long passwords
reduce boilerplate when loading json files
only check for email in passwords when it is longer than two chars
more canonemail tests
This commit is contained in:
Azareal 2020-06-18 08:03:36 +10:00
parent 0254687d5b
commit f0c9544af6
4 changed files with 191 additions and 62 deletions

View File

@ -4,10 +4,8 @@ import (
"bytes"
//"fmt"
//"log"
"encoding/json"
"io/ioutil"
"net/url"
"os"
"path/filepath"
"regexp"
"strconv"
@ -45,6 +43,7 @@ var attachOpen = []byte("<a class='attach'href=\"")
var attachClose = []byte("\"download>Attachment</a>")
var sidParam = []byte("?sid=")
var stypeParam = []byte("&amp;stype=")
/*var textShortOpen = []byte("<a class='attach'href=\"")
var textShortOpen2 = []byte("\">View</a> / <a class='attach'href=\"")
var textShortClose = []byte("\"download>Download</a>")*/
@ -71,13 +70,8 @@ type emojiHolder struct {
}
func InitEmoji() error {
data, err := ioutil.ReadFile("./config/emoji_default.json")
if err != nil {
return err
}
var emoji emojiHolder
err = json.Unmarshal(data, &emoji)
err := unmarshalJsonFile("./config/emoji_default.json", &emoji)
if err != nil {
return err
}
@ -89,15 +83,8 @@ func InitEmoji() error {
}
}
data, err = ioutil.ReadFile("./config/emoji.json")
if err == os.ErrPermission || err == os.ErrClosed {
return err
} else if err != nil {
return nil
}
emoji = emojiHolder{}
err = json.Unmarshal(data, &emoji)
err = unmarshalJsonFileIgnore404("./config/emoji.json", &emoji)
if err != nil {
return err
}
@ -484,14 +471,14 @@ func (ps *ParseSettings) CopyPtr() *ParseSettings {
}
func ParseMessage(msg string, sectionID int, sectionType string, settings *ParseSettings, user *User) string {
msg, _ = ParseMessage2(msg,sectionID,sectionType,settings,user)
msg, _ = ParseMessage2(msg, sectionID, sectionType, settings, user)
return msg
}
// TODO: Write a test for this
// TODO: We need a lot more hooks here. E.g. To add custom media types and handlers.
// TODO: Use templates to reduce the amount of boilerplate?
func ParseMessage2(msg string, sectionID int, sectionType string, settings *ParseSettings, user *User) (string,bool) {
func ParseMessage2(msg string, sectionID int, sectionType string, settings *ParseSettings, user *User) (string, bool) {
if settings == nil {
settings = DefaultParseSettings
}
@ -1095,7 +1082,7 @@ func parseMediaString(data string, settings *ParseSettings) (media MediaEmbed, o
vid, err := strconv.ParseInt(strings.TrimPrefix(path, "/watch/sm"), 10, 64)
if err == nil {
media.Type = ERawExternal
media.Body = "<iframe class='postIframe'src='https://embed.nicovideo.jp/watch/sm"+strconv.FormatInt(vid, 10)+"?jsapi=1&amp;playerId=1'frameborder=0 allowfullscreen></iframe>"
media.Body = "<iframe class='postIframe'src='https://embed.nicovideo.jp/watch/sm" + strconv.FormatInt(vid, 10) + "?jsapi=1&amp;playerId=1'frameborder=0 allowfullscreen></iframe>"
return media, true
}
}

View File

@ -10,9 +10,11 @@ import (
"crypto/rand"
"encoding/base32"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"html"
"io/ioutil"
"math"
"os"
"strconv"
@ -161,11 +163,12 @@ func RelativeTimeBytes(t time.Time, lang int) []byte {
}
*/
var pMs = 1000;
var pSec = pMs * 1000;
var pMin = pSec * 60;
var pHour = pMin * 60;
var pDay = pHour * 24;
var pMs = 1000
var pSec = pMs * 1000
var pMin = pSec * 60
var pHour = pMin * 60
var pDay = pHour * 24
func ConvertPerfUnit(quan float64) (out float64, unit string) {
f := func() (float64, string) {
switch {
@ -186,7 +189,6 @@ func ConvertPerfUnit(quan float64) (out float64, unit string) {
return math.Ceil(out), unit
}
// TODO: Write a test for this
func ConvertByteUnit(bytes float64) (float64, string) {
switch {
@ -341,7 +343,7 @@ func NameToSlug(name string) (slug string) {
func HasSuspiciousEmail(email string) bool {
lowEmail := strings.ToLower(email)
// TODO: Use a more flexible blacklist, perhaps with a similar mechanism to the HTML tag registration system in PreparseMessage()
if !strings.Contains(lowEmail,"@") || strings.Contains(lowEmail, "casino") || strings.Contains(lowEmail, "viagra") || strings.Contains(lowEmail, "pharma") || strings.Contains(lowEmail, "pill") {
if !strings.Contains(lowEmail, "@") || strings.Contains(lowEmail, "casino") || strings.Contains(lowEmail, "viagra") || strings.Contains(lowEmail, "pharma") || strings.Contains(lowEmail, "pill") {
return true
}
@ -361,24 +363,63 @@ func HasSuspiciousEmail(email string) bool {
return dotCount > 7 || shortBits > 2
}
var weakPassStrings = []string{"test", "123", "6969", "password", "qwerty", "fuck", "love"}
func unmarshalJsonFile(name string, in interface{}) error {
data, err := ioutil.ReadFile(name)
if err != nil {
return err
}
return json.Unmarshal(data, in)
}
// TODO: Write a test for this
func WeakPassword(password, username, email string) error {
lowPassword := strings.ToLower(password)
switch {
case password == "":
return errors.New("You didn't put in a password.")
case len(password) < 8:
return errors.New("Your password needs to be at-least eight characters long")
case strings.Contains(lowPassword, strings.ToLower(username)) && len(username) > 3:
return errors.New("You can't use your username in your password.")
case email != "" && strings.Contains(lowPassword, strings.ToLower(email)):
return errors.New("You can't use your email in your password.")
func unmarshalJsonFileIgnore404(name string, in interface{}) error {
data, err := ioutil.ReadFile(name)
if err == os.ErrPermission || err == os.ErrClosed {
return err
} else if err != nil {
return nil
}
return json.Unmarshal(data, in)
}
type weakpassHolder struct {
Contains []string `json:"contains"`
Literal []string `json:"literal"`
}
func InitWeakPasswords() error {
var weakpass weakpassHolder
err := unmarshalJsonFile("./config/weakpass_default.json", &weakpass)
if err != nil {
return err
}
wcon := make(map[string]struct{})
for _, item := range weakpass.Contains {
wcon[item] = struct{}{}
}
for _, item := range weakpass.Literal {
weakPassLit[item] = struct{}{}
}
weakpass = weakpassHolder{}
err = unmarshalJsonFileIgnore404("./config/weakpass.json", &weakpass)
if err != nil {
return err
}
for _, item := range weakpass.Contains {
wcon[item] = struct{}{}
}
for _, item := range weakpass.Literal {
weakPassLit[item] = struct{}{}
}
weakPassStrings = make([]string, len(wcon))
var i int
for pattern, _ := range wcon {
weakPassStrings[i] = pattern
i++
}
for _, passBit := range weakPassStrings {
if strings.Contains(lowPassword, passBit) {
s := "You may not have "
for i, passBit := range weakPassStrings {
if i > 0 {
@ -390,7 +431,45 @@ func WeakPassword(password, username, email string) error {
}
s += "'" + passBit + "'"
}
return errors.New(s + " in your password")
ErrWeakPasswordContains = errors.New(s + " in your password")
return nil
}
var weakPassStrings []string
var weakPassLit = make(map[string]struct{})
var ErrWeakPasswordNone = errors.New("You didn't put in a password.")
var ErrWeakPasswordShort = errors.New("Your password needs to be at-least eight characters long")
var ErrWeakPasswordNameInPass = errors.New("You can't use your name in your password.")
var ErrWeakPasswordEmailInPass = errors.New("You can't use your email in your password.")
var ErrWeakPasswordCommon = errors.New("You may not use a password that is in common use")
var ErrWeakPasswordNoNumbers = errors.New("You don't have any numbers in your password")
var ErrWeakPasswordNoUpper = errors.New("You don't have any uppercase characters in your password")
var ErrWeakPasswordNoLower = errors.New("You don't have any lowercase characters in your password")
var ErrWeakPasswordUniqueChars = errors.New("You don't have enough unique characters in your password")
var ErrWeakPasswordContains error
// TODO: Write a test for this
func WeakPassword(password, username, email string) error {
lowPassword := strings.ToLower(password)
switch {
case password == "":
return ErrWeakPasswordNone
case len(password) < 8:
return ErrWeakPasswordShort
case len(username) > 3 && strings.Contains(lowPassword, strings.ToLower(username)):
return ErrWeakPasswordNameInPass
case len(email) > 2 && strings.Contains(lowPassword, strings.ToLower(email)):
return ErrWeakPasswordEmailInPass
}
_, ok := weakPassLit[lowPassword]
if ok {
return ErrWeakPasswordCommon
}
for _, passBit := range weakPassStrings {
if strings.Contains(lowPassword, passBit) {
return ErrWeakPasswordContains
}
}
@ -418,22 +497,22 @@ func WeakPassword(password, username, email string) error {
}
}
if numbers == 0 {
return errors.New("You don't have any numbers in your password")
}
if upper == 0 {
return errors.New("You don't have any uppercase characters in your password")
return ErrWeakPasswordNoUpper
}
if lower == 0 {
return errors.New("You don't have any lowercase characters in your password")
return ErrWeakPasswordNoLower
}
if len(password) < 18 {
if numbers == 0 {
return ErrWeakPasswordNoNumbers
}
if (len(password) / 2) > len(charMap) {
return errors.New("You don't have enough unique characters in your password")
return ErrWeakPasswordUniqueChars
}
} else if (len(password) / 3) > len(charMap) {
// Be a little lenient on the number of unique characters for long passwords
return errors.New("You don't have enough unique characters in your password")
return ErrWeakPasswordUniqueChars
}
return nil
}
@ -445,7 +524,7 @@ func CanonEmail(email string) string {
// Gmail emails are equivalent without the dots
espl := strings.Split(email, "@")
if len(espl) >= 2 && espl[1] == "gmail.com" {
return strings.Replace(espl[0],".","",-1) + "@" + espl[1]
return strings.Replace(espl[0], ".", "", -1) + "@" + espl[1]
}
return email

View File

@ -159,6 +159,9 @@ func storeInit() (err error) {
if err = c.InitEmoji(); err != nil {
return errors.WithStack(err)
}
if err = c.InitWeakPasswords(); err != nil {
return errors.WithStack(err)
}
log.Print("Loading the static files.")
if err = c.Themes.LoadStaticFiles(); err != nil {

View File

@ -2,7 +2,6 @@ package main
import (
"bytes"
"strings"
"database/sql"
"fmt"
"io/ioutil"
@ -10,12 +9,14 @@ import (
"os"
"runtime/debug"
"strconv"
"strings"
"testing"
"time"
c "github.com/Azareal/Gosora/common"
"github.com/Azareal/Gosora/common/gauth"
"github.com/Azareal/Gosora/common/phrases"
"github.com/pkg/errors"
)
func miscinit(t *testing.T) {
@ -2002,25 +2003,84 @@ func TestWidgets(t *testing.T) {
func TestUtils(t *testing.T) {
email := "test@example.com"
cemail := c.CanonEmail(email)
expect(t,cemail==email,fmt.Sprintf("%s should be %s", cemail, email))
expect(t, cemail == email, fmt.Sprintf("%s should be %s", cemail, email))
email = "test.test@example.com"
cemail = c.CanonEmail(email)
expect(t,cemail==email,fmt.Sprintf("%s should be %s", cemail, email))
expect(t, cemail == email, fmt.Sprintf("%s should be %s", cemail, email))
email = "test.test@gmail.com"
eemail := "testtest@gmail.com"
cemail = c.CanonEmail(email)
expect(t,cemail==eemail,fmt.Sprintf("%s should be %s", cemail, eemail))
expect(t, cemail == eemail, fmt.Sprintf("%s should be %s", cemail, eemail))
email = "TEST.test@gmail.com"
eemail = "testtest@gmail.com"
cemail = c.CanonEmail(email)
expect(t,cemail==eemail,fmt.Sprintf("%s should be %s", cemail, eemail))
expect(t, cemail == eemail, fmt.Sprintf("%s should be %s", cemail, eemail))
email = "test.TEST.test@gmail.com"
eemail = "testtesttest@gmail.com"
cemail = c.CanonEmail(email)
expect(t, cemail == eemail, fmt.Sprintf("%s should be %s", cemail, eemail))
email = "test..TEST.test@gmail.com"
eemail = "testtesttest@gmail.com"
cemail = c.CanonEmail(email)
expect(t, cemail == eemail, fmt.Sprintf("%s should be %s", cemail, eemail))
email = "TEST.test@example.com"
lowEmail := strings.ToLower(email)
cemail = c.CanonEmail(email)
expect(t,cemail==lowEmail,fmt.Sprintf("%s should be %s", cemail, lowEmail))
expect(t, cemail == lowEmail, fmt.Sprintf("%s should be %s", cemail, lowEmail))
email = "test.TEST.test@example.com"
lowEmail = strings.ToLower(email)
cemail = c.CanonEmail(email)
expect(t, cemail == lowEmail, fmt.Sprintf("%s should be %s", cemail, lowEmail))
/*weakPass := func(password, username, email string) func(error,string,...interface{}) {
err := c.WeakPassword(password, username, email)
return func(expectErr error, m string, p ...interface{}) {
m = fmt.Sprintf("pass=%s, user=%s, email=%s ", password, username, email) + m
expect(t, err == expectErr, fmt.Sprintf(m,p...))
}
}*/
nilErrStr := func(e error) error {
if e == nil {
e = errors.New("nil")
}
return e
}
weakPass := func(password, username, email string) func(error) {
err := c.WeakPassword(password, username, email)
e := nilErrStr(err)
m := fmt.Sprintf("pass=%s, user=%s, email=%s ", password, username, email)
return func(expectErr error) {
ee := nilErrStr(expectErr)
expect(t, err == expectErr, m+fmt.Sprintf("err should be '%s' not '%s'", ee, e))
}
}
//weakPass("test", "test", "test@example.com")(c.ErrWeakPasswordContains,"err should be ErrWeakPasswordContains not '%s'")
weakPass("", "draw", "test@example.com")(c.ErrWeakPasswordNone)
weakPass("test", "draw", "test@example.com")(c.ErrWeakPasswordShort)
weakPass("testtest", "draw", "test@example.com")(c.ErrWeakPasswordContains)
weakPass("testdraw", "draw", "test@example.com")(c.ErrWeakPasswordNameInPass)
weakPass("test@example.com", "draw", "test@example.com")(c.ErrWeakPasswordEmailInPass)
weakPass("meet@example.com2", "draw", "")(c.ErrWeakPasswordNoUpper)
weakPass("Meet@example.com2", "draw", "")(nil)
weakPass("test2", "draw", "test@example.com")(c.ErrWeakPasswordShort)
weakPass("test22222222", "draw", "test@example.com")(c.ErrWeakPasswordContains)
weakPass("superman", "draw", "test@example.com")(c.ErrWeakPasswordCommon)
weakPass("K\\@<^s}1", "draw", "test@example.com")(nil)
weakPass("K\\@<^s}r", "draw", "test@example.com")(c.ErrWeakPasswordNoNumbers)
weakPass("k\\@<^s}1", "draw", "test@example.com")(c.ErrWeakPasswordNoUpper)
weakPass("aaaaaaaa", "draw", "test@example.com")(c.ErrWeakPasswordNoUpper)
weakPass("aA1aA1aA1", "draw", "test@example.com")(c.ErrWeakPasswordUniqueChars)
weakPass("abababab", "draw", "test@example.com")(c.ErrWeakPasswordNoUpper)
weakPass("11111111111111111111", "draw", "test@example.com")(c.ErrWeakPasswordNoUpper)
weakPass("aaaaaaaaaaAAAAAAAAAA", "draw", "test@example.com")(c.ErrWeakPasswordUniqueChars)
weakPass("-:u/nMxb,A!n=B;H\\sjM", "draw", "test@example.com")(nil)
// TODO: More utils.go tests
}